\section{The Security@Runtime Approach}
\label{sec:Approach}

 At the center of our approach is the \emph{Security@Runtime} (\SAR) \textsc{Dsl}, used for the \emph{configuration} of the security enforcement mechanisms. This Section starts by presenting our \textsc{Pdp/Pep} architecture for enforcing \SAR security \emph{configurations}, then describes each \SAR component in detail.

\begin{figure}[t]
	\center
	\resizebox{\columnwidth}{!}{\includegraphics{Overview2.pdf}}	
	\caption{Architecture Overview} %\SAR is composed of different sublanguages: Static Mapping (\textsc{Sm}) between both specifications; Security Rules (\textsc{Sr}) for expressing policy rules; Rules Status (\textsc{Rs}) representing the dynamic status of rules; Dynamic State (\textsc{Ds}) maintaining a representation of the application's state; Dynamic Binding (\textsc{Db}) for defining rules contexts and action scenarii. The Policy Decision Logic (\textsc{Pdl}), connected to several components, sends access control decisions back to the application runtime.}
	\label{fig:approach}
   \vspace{-0.5cm}
\end{figure}
 
\subsection{Architecture Overview}
\label{sec:ApproachOverview}

Figure \ref{fig:approach} shows the main components of the security enforcement architecture, namely the (i) \textsc{Pap}, (ii) \textsc{Pep} and (iii) \textsc{Pdp}. 
The Policy Administration Point (\textsc{Pap}) allows the specification of a \emph{\SAR configuration} for the \textsc{Pep} and the \textsc{Pdp}. The \textsc{Pep} monitors the application, using \textsc{Aop}~\cite{Kiczales1997} (in our case, AspectJ), and filters out information that is irrelevant to policy enforcement based on the configuration. Three events are monitored by the \textsc{Pep}: \emph{instance creation}, \emph{instance field updates} and \emph{method calls}. If an event is relevant to policy management or enforcement, then the \textsc{Pep} notifies the \textsc{Pdp} to update the \emph{effective} security policy accordingly, e.g. activate a new obligation. When an event corresponds to a method call, the \textsc{Pdp} computes an access decision. If access is granted, then execution proceeds; otherwise, different actions are possible: (1) a runtime security exception is raised with an appropriate message, (2) the system is stopped, or (3) the method execution is skipped. In our current prototype's implementation, a security exception is raised after access denial. 


